The vast majority of websites and applications accessible via the Internet or a mobile device offer some sort of sign in or sign up functionality. This functionality enables a user of a particular website or application to create an account or access the account associated with the respective service provided by the website or application. Personally identifiable information (PII) is often used by organizations to authenticate a user's identity. For example, PII may include information such as full names, home address, social security numbers, date of birth, and biometrics, as well as non-public information (e.g., mother's maiden name). Organizations typically store PII associated with the user accounts in some variety of database or directory. As the increasing rate of data breaches provide constant reminders, these databases or directories can be accessed by malicious actors exposing the users to identity theft and fraud.
To add to this problem, users often reuse the same PII on multiple websites or applications. This creates a security issue where a breach in one organization may enable a malicious actor to compromise accounts at other organizations. For example, using breached PII, malicious actors recently stole tax refunds from approximately 104,000 people.